Malware analysis OfficeSetup.exe Malicious activity | ANY.RUN

Add for printing

File name:	OfficeSetup.exe
Full analysis:	https://app.any.run/tasks/5c013a29-538e-443c-bd87-dbb5014a3161
Verdict:	Malicious activity
Analysis date:	July 27, 2024, 09:11:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	8B80F837A410C0748ABD60FAAC3824F0
SHA1:	EE3E039A294397C4E188864365395A0D1C798E84
SHA256:	DCFDED0BEE0EF9168A02ED6989C0B47A09F09A701D5C311EA09865383A329ADA
SSDEEP:	98304:3CYr0HQcLUToYkvVOax29tZXeEIsTYD1ZICGN169rzKz19ZykJEZ/RGO/lUUh0Go:f1h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - OfficeSetup.exe (PID: 5788)
  - OfficeClickToRun.exe (PID: 4132)
  - OfficeClickToRun.exe (PID: 5836)
- Scans artifacts that could help determine the target
  - OfficeSetup.exe (PID: 2492)
  - OfficeSetup.exe (PID: 5788)
SUSPICIOUS
- Process drops legitimate windows executable
  - OfficeSetup.exe (PID: 5788)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
- Starts a Microsoft application from unusual location
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
- Reads the date of Windows installation
  - OfficeSetup.exe (PID: 5788)
- Reads security settings of Internet Explorer
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
- Application launched itself
  - OfficeSetup.exe (PID: 5788)
- Searches for installed software
  - OfficeSetup.exe (PID: 2492)
- Checks Windows Trust Settings
  - OfficeSetup.exe (PID: 2492)
  - OfficeSetup.exe (PID: 5788)
- The process drops C-runtime libraries
  - OfficeClickToRun.exe (PID: 5836)
- Executable content was dropped or overwritten
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
INFO
- Reads the machine GUID from the registry
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
  - OfficeClickToRun.exe (PID: 4132)
  - OfficeClickToRun.exe (PID: 5836)
- Reads the computer name
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
  - OfficeClickToRun.exe (PID: 2984)
- Checks supported languages
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
  - OfficeClickToRun.exe (PID: 2984)
- Process checks computer location settings
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
- Reads Microsoft Office registry keys
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
  - OfficeClickToRun.exe (PID: 2984)
- Process checks whether UAC notifications are on
  - OfficeSetup.exe (PID: 5788)
- Checks proxy server information
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
  - OfficeClickToRun.exe (PID: 2984)
- Reads the software policy settings
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
  - OfficeClickToRun.exe (PID: 2984)
- Creates files or folders in the user directory
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 2984)
- Reads CPU info
  - OfficeSetup.exe (PID: 5788)
  - OfficeSetup.exe (PID: 2492)
- Reads Environment values
  - OfficeSetup.exe (PID: 2492)
  - OfficeSetup.exe (PID: 5788)
- Create files in a temporary directory
  - OfficeSetup.exe (PID: 2492)
  - OfficeSetup.exe (PID: 5788)
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 2984)
- Creates files in the program directory
  - OfficeClickToRun.exe (PID: 5836)
  - OfficeClickToRun.exe (PID: 4132)
- Executes as Windows Service
  - OfficeClickToRun.exe (PID: 4132)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:08 19:47:42+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.38
CodeSize:	4583936
InitializedDataSize:	2929152
UninitializedDataSize:	-
EntryPoint:	0x3e1530
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	16.0.17726.20160
ProductVersionNumber:	16.0.17726.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Windows, Latin1
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft 365 and Office
FileVersion:	16.0.17726.20160
InternalName:	Bootstrapper.exe
LegalTrademarks1:	Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2:	Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName:	Bootstrapper.exe
ProductName:	Microsoft Office
ProductVersion:	16.0.17726.20160

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

150

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1700

C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

2492

"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001

C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe

OfficeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft 365 and Office

Version:

16.0.17726.20160

Modules

Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2984

OfficeClickToRun.exe platform=x64 culture=pl-pl productstoadd=O365ProPlusRetail.16_pl-pl_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.17726.20160 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

OfficeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.17726.20108

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4132

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.17726.20108

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

4460

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5788

"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe"

C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft 365 and Office

Version:

16.0.17726.20160

Modules

Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

5836

OfficeClickToRun.exe platform=x64 culture=pl-pl productstoadd=O365ProPlusRetail.16_pl-pl_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.17726.20160 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True scenario=CLIENTUPDATE

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

OfficeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office Click-to-Run (SxS)

Exit code:

Version:

16.0.16026.20140

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

30 289

Read events

29 429

Write events

581

Delete events

279

Modification events


(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ko-kr
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	pt-br
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ru-ru
Value: 2
(PID) Process:	(5788) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	tr-tr
Value: 2

Add for printing

Executable files

397

Suspicious files

114

Text files

143

Unknown types

Dropped files

PID	Process	Filename		Type
2492	OfficeSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892		binary
		MD5:72B2A0980F6AF4E106C11E10A0F53D9C	SHA256:B570A5D46B39E63DBCFFB939D95C0D12282EABB64E4B88B4477C6CB5381D989F
2492	OfficeSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FE		der
		MD5:A20961D8BD1A5A7D241026D0011751FB	SHA256:4D6AE5BBEF0EACFDC09D5ADE4D145E883CF41B131E4C6988738769F1D32E12F3
2492	OfficeSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850		binary
		MD5:CD31BB46796C8009574DCE6FFE0889FA	SHA256:01EF5F7153FBCD460E2FB3EF9AFAF7273923D90F590D6F2DF457CBCDDE3D8DEC
2492	OfficeSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892		der
		MD5:0840F3C261E695105CD15C84EA85BEED	SHA256:F60632399A87485A7417DDF8B407DA66794C37347B3AA9E995EC389ECD091947
2492	OfficeSetup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2R18300838-CF94-4780-9A64-04B0847981E0\VersionDescriptor.xml		xml
		MD5:532092E95CF9946D2EF9A60F2E01DF36	SHA256:DBD71E9D7CCCA9B2E182E9AC45F358C0607B17FE944058E3D59D6FE13AD3740D
2492	OfficeSetup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2R18300838-CF94-4780-9A64-04B0847981E0\v64.hash		text
		MD5:3940D56B8ECC9D19EF83568FDFA8EB41	SHA256:D50E50C6F767C65067C82587011E1E3F268261D510202749E252D80EFC945177
2492	OfficeSetup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2R18300838-CF94-4780-9A64-04B0847981E0OfficeC2RE4ECB98B-7262-4EF4-9067-BB559A3E7BF3\v64.hash		text
		MD5:3940D56B8ECC9D19EF83568FDFA8EB41	SHA256:D50E50C6F767C65067C82587011E1E3F268261D510202749E252D80EFC945177
2492	OfficeSetup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2R18300838-CF94-4780-9A64-04B0847981E0OfficeC2RE4ECB98B-7262-4EF4-9067-BB559A3E7BF3\VersionDescriptor.xml		xml
		MD5:532092E95CF9946D2EF9A60F2E01DF36	SHA256:DBD71E9D7CCCA9B2E182E9AC45F358C0607B17FE944058E3D59D6FE13AD3740D
5788	OfficeSetup.exe	C:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shm		binary
		MD5:AD6634DCEEE8B65832A4F39232947337	SHA256:B3E73666827C2F194EB3F557A52CD3DCC7F788EE683B9F4378E8134D55F56C27
5788	OfficeSetup.exe	C:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-wal		binary
		MD5:287D056478BB8D1CBCE02D98CDEB4272	SHA256:5A8AEBF60161C31816A0FC390BDBB62BF06B048A3C6DDECBEB94E8B41AFAEE8C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

129

TCP/UDP connections

111

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2492	OfficeSetup.exe	HEAD	200	152.199.21.175:80	http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab	unknown	—	—	whitelisted
2492	OfficeSetup.exe	HEAD	200	152.199.21.175:80	http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17726.20160.cab	unknown	—	—	whitelisted
2492	OfficeSetup.exe	HEAD	200	152.199.21.175:80	http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17726.20160.cab	unknown	—	—	whitelisted
2492	OfficeSetup.exe	GET	200	152.199.21.175:80	http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17726.20160.cab	unknown	—	—	whitelisted
2492	OfficeSetup.exe	GET	200	2.16.164.97:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5836	OfficeClickToRun.exe	HEAD	200	152.199.21.175:80	http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.17726.20160/i640.cab	unknown	—	—	whitelisted
2492	OfficeSetup.exe	GET	200	2.16.164.97:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl	unknown	—	—	whitelisted
3980	svchost.exe	GET	200	95.168.195.202:80	http://95.168.195.202/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.17726.20160/i640.cab.phf?cacheHostOrigin=officecdn.microsoft.com	unknown	—	—	unknown
3980	svchost.exe	GET	206	95.168.195.202:80	http://95.168.195.202/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.17726.20160/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net	unknown	—	—	unknown
2492	OfficeSetup.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
1028	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6012	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	2.23.209.181:443	www.bing.com	Akamai International B.V.	GB	unknown
3992	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6064	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
888	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	2.23.209.181 2.23.209.177 2.23.209.183 2.23.209.182 2.23.209.185 2.23.209.176 2.23.209.156 2.23.209.158 2.23.209.160 2.23.209.193 2.23.209.179 2.23.209.189 2.23.209.187 2.23.209.133	whitelisted
google.com	172.217.16.142	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
ecs.office.com	52.113.194.132	whitelisted
mrodevicemgr.officeapps.live.com	52.109.89.117	whitelisted
f.c2r.ts.cdn.office.net	152.199.21.175	whitelisted
crl.microsoft.com	2.16.164.97 2.16.164.9 2.16.164.49 2.16.164.43	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

OfficeSetup.exe

8B80F837A410C0748ABD60FAAC3824F0

EE3E039A294397C4E188864365395A0D1C798E84

DCFDED0BEE0EF9168A02ED6989C0B47A09F09A701D5C311EA09865383A329ADA

98304:3CYr0HQcLUToYkvVOax29tZXeEIsTYD1ZICGN169rzKz19ZykJEZ/RGO/lUUh0Go:f1h

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Scans artifacts that could help determine the target

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Reads the date of Windows installation

Reads security settings of Internet Explorer

Application launched itself

Searches for installed software

Checks Windows Trust Settings

The process drops C-runtime libraries

Executable content was dropped or overwritten

INFO

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Process checks computer location settings

Reads Microsoft Office registry keys

Process checks whether UAC notifications are on

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Reads CPU info

Reads Environment values

Create files in a temporary directory

Creates files in the program directory

Executes as Windows Service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings